[ previous ] [ next ] [ threads ]
 From:  Denis Mirassou <mirassou at cict dot fr>
 To:  Josh <josh at nemesis dot net>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] How to go up with a final M0n0Wall user (IP/MAC address) in case of trouble (network attack)?
 Date:  Wed, 29 Sep 2004 09:17:49 +0200
Josh wrote:
> edited:
>> Im am testing M0n0Wall for captive portal feature primarily.
>> For example, a sysadmin tells us someone xxx.xxx.xxx.xxx (from us) 
>> hacks  his server on Sept 25 02:57:56.
>> I would want to get the user IP Address.
> There are two problems
> 1) NAT
> If you have the address space avail one option is of course to not
> use NAT at all (so connections won't come from the m0n0 IP).  If
> that's not possible, the only option I can think of is to setup
> a rule to log all outbound (allowed) connections - to a dedicated
> syslog server.  You would need to make sure you have less connections
> per second than the max the syslog can handle of course.  This insane
> level of logging would be hard to deal with, but would give very
> good detail on any security issues you have.  *shrug* ymmv


In the case of having enough address space available for my LAN, how do 
I de-activate NAT on M0n0Wall in order to have connections coming from 
LAN Clients IP address ? That's what I want.
(I didn't put any NAT rule but connections still coming from M0n0 WAN IP 

> 2) Dynamic addressing
> In this way WiFi is like dialup - and the problem can be solved
> in the same way using the captive portal feature and RADIUS auth.
> (RADIUS was mainly developed to support dialup it seems).
> Your radius logs should be able to tell you who authenticated when
> and had what IP.  DHCP logs might be useful as well.

Yes, I have dynamic IP addressing for LAN clients (M0n0 = DHCP server) 
and Radius authentication.
I am able to find a user knowing the M0n0 IP address that does a http 
request on an external server at a precise time by looking at firewall 
logs (request from LAN client on M0n0 LAN interface, then from M0n0 WAN 
interface to external server), dhcp logging (to find the client MAC 
address knowing his LAN IP), and Radius logging (to find client username 
knowing his MAC address, FreeRadius just log client MAC address and NAS 
IP address).
All these logs can be redirected on a syslog server but that's still 3 
different log to analyse.

It would be much benefit to know LAN IP address used...


> -josh
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch

Denis Mirassou
Service Réseaux
Centre Interuniversitaire de Calcul de Toulouse (C.I.C.T)